Package upgrade inside the image build
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
Running apt-get upgrade / dist-upgrade (or apk/yum upgrade) inside a build pins nothing and makes the image depend on when it was built.
Why it matters
Running apt-get upgrade or dist-upgrade during the build upgrades packages to whatever is current at build time, which pins nothing and makes the image depend on the build date. Two builds days apart can differ, and a bad upstream update lands with no review.
How to fix it
Remove the in-build upgrade. Instead, pin a recent, patched base image tag (and digest) and install the specific package versions you need. Rebuild on a schedule to pick up patches deliberately by bumping the base image.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo